Transparent Detection of Computer Malware Using Virtualization

Executive Summary

In this paper, the author explores malware detection using a combination of virtualization- and storage-based intrusion detection techniques. By monitoring disk activity of a virtual machine and correlating that activity to knowledge of the filesystem structure on the virtual machine's disk, an intrusion detection system can react to file changes immediately. Such a system can use a traditional antivirus scanner from the virtual machine monitor on just those files modified within the virtual machine, avoiding the effect of rootkits and other mechanisms that can obscure the view of software operating within the virtual machine, while minimizing unnecessary scanning.